openerp-expert-framework team mailing list archive

["P. Christeas" <xrg@xxxxxxxxx>]

There is a new phenomenon, like a bug, that has been triggered in my version 
of the server. I believe, at this point, it calls for some discussion:

In an attempt to tighten security of pythonic code, I have replaced instances 
of eval() with one safe_eval(), customized to /not/ expose dangerous functions 
(did you know that 'import' can be called through eval() ? )

Anyway, as expected, this is incompatible with some context expressions found 
in forms/views. 

Notably, now, in stock/product_view.xml:product.search.stock.form, we have a 
context like {'location': self } . Really, what is that supposed to mean? How 
is it used? Isn't 'self' the product.product class? Will it always be the 
project, if that search form is eg. included in some inherited object somehow?

other contexts that I will have to re-enable at the safe_eval are like 
{ 'category': category.id } . Clear.

Major question is: what objects should be exposed at the context of the eval() 
of the context? (confused wording? ) 
Do we have a definite guide of what's available at that context's context? 
Should we note that at the developer's book, so that view designers know how 
to form the context strings?

Proposition (beware: API change): use a very strict, and well defined set of 
objects that will be defined at a context (or domain) dict. Don't use the 
'self' notation (because it's a keyword), better use "this" (in honour of C++) 
and let "this" be a dict of the parent class's browsable objects. Note down 
requirements for forms, so that we make available the necessary information at 
the context. Be careful, if possible, not to expose objects that will give 
access to third functions (like <obj>.pool.get('res.users')...)

Please, I expect your comments on that.